Similar presentations

2 Emergence of Vehicular NetworksIn 1999, FCC allocated GHz band to promote safe and efficient highwaysIntended for vehicle-to-vehicle and vehicle-to-infrastructure communicationEmerging radio standard for Dedicated Short-Range Communications (DSRC)Based on an extension ofCar2Car Consortium expects prototypes in March 2006Must consider security, or these networks will create more problems than they solveNeed to consider security or these networks will create more problems than they solve

3 Why Vehicular Networks?SafetyOn US highways (2004):42,800 Fatalities, 2.8 Million Injuries~$230.6 Billion cost to societyEfficiencyTraffic jams waste time and fuelIn 2003, US drivers lost a total of 3.5 billion hours and 5.7 billion gallons of fuel to traffic congestionProfitSafety features and high-tech devices have become product differentiatorsThose of you who drove here know that drivers need all the help they can getDepartment of Transportation’s National Highway Traffic Safety Administration (NHTSA) (

14 Challenges: Authentication vs. PrivacyEach vehicle should only have one identityPrevents Sybil attacks (e.g., spoofed congestion)Allows use of external mechanisms (e.g. law enforcement)Drivers value their privacyLegal requirements vary from country to countryVehicles today are only partially anonymousLack of privacy may lead to lack of securityPeople already leery of speedpass. Court cases that have subpoenaed these records for divorce proceedings.Photographing license plates quite feasible

15 Challenges: AvailabilityApplications will require real-time responsesIncreases vulnerability to DoSUnreliable communication mediumStudies show only 50-60% of vehicles in range will receive a vehicle’s broadcast

16 Challenges: MobilityMobility patterns will exhibit strong correlationsTransient neighborhoodMany neighbors will only be encountered once, everMakes reputation-based systems difficultBrief periods of connectivityVehicles may only be in range for secondsLimits interaction between sender and receiver

17 Challenges: Key DistributionManufacturersRequires cooperation and interoperabilityUsers must trust all manufacturersGovernmentDMV distributionHandled at the state level, so also requires cooperation and interoperabilityRunning a Certificate Authority is non-trivialIf a single manufacturer makes a mistake, then the entire system is open to attacks.Problems not insurmountable, but they need to be considered.

18 Challenges: Low Tolerance for ErrorsStrong need for resiliencyWith 200 million cars in the US, if 5% use an application that works % of the time, still more likely to fail on some carLife-and-death applications must be resilient to occasional failuresFocus on prevention, rather than detection & recoverySafety-related applications may not have margin for driver reaction time

19 Challenges: BootstrapInitially, only a small number of vehicles will have DSRCLimited support deployment of infrastructureAd hoc network protocols allow manufacturers to incorporate security without deviating from their business model

21 Some Vehicular Properties Support SecurityRegular InspectionsMost states require annual inspectionDownload updates, CRLs, new certificatesUse software attestation to verify vehicleHonest MajorityMost drivers prefer not to tinker with their carsMay void warranty or violate the lawMust protect against wormsLeverage existing work for PCsTrusted hardware (e.g., TPMs) may help eventuallyWorm work like TaintCheck by Newsome et al.

22 Some Vehicular Properties Support SecurityAdditional inputPresumed intelligent operator at each nodeCannot distract driver, but can still gather or infer dataE.g., ignored deceleration warning may indicate a false positiveExisting enforcement mechanismsFor many attacks, attacker must be in close physical proximityMay be sufficient to identify the attacker

26 Security Primitives: Anonymization ServiceMany applications only need to connect information to a vehicle, not to a specific identityAuthenticate to anonymization service with permanent IDAnonymization service issues temporary IDOptionally include escrow for legal enforcementIdeal environment: toll roadsControlled access pointsAll temporary IDs issued by the same authorityID

31 ConclusionsWe have proposed several security primitives, but more are needed.Vehicular networks pose interesting, open security research questions.Vehicular networks will soon be deployed, and their success and safety will depend on the secure solutions we develop.Research on security in vehicular networks will have an impact in the real world.